AIOS Changelog

• Fix: Replaced firewall URI parsers with non-WordPress methods.
• Fix: Resolved PHP 5.6 compatibility issue caused by the ?? operator in 5.3.10.

• Feature: Added commenting capability to IP whitelists.
• Feature: Added diagnostics reporting.
• Feature: Added a whitelist and user role-based access limit to the REST API firewall.
• Fix: “Undefined index: path” error when front-end HTTP Authentication is enabled.
• Fix: Resolved dashboard translation issue where text lacked whitespace and was not properly translated.
• Tweak: Remove uses of unserialize without restriction of allowed_classes.
• Tweak: Refactored IP commands class to use response helper.
• Tweak: Removed WP REST API tab.
• Tweak: Switched “Critical Feature Status” toggle buttons on the dashboard to a status light system.
• Tweak: Updated the security strength meter on the dashboard.
• Tweak: Improved the dashboard widget to display a chart showing the number of logins over the last 7 days.
• Tweak: Enhanced the maintenance mode switch on the dashboard for consistency with the rest of the plugin.
• Tweak: Converted Brute Force menu actions to use AJAX.
• Tweak: Updated seasonal notices.

• Fix: Updated the plugin notices to fix translation related fatal errors.

• Tweak: Change response code for blocked unauthorized REST requests to 403.
• Tweak: Temporarily removed firewall logging.

Fix: Resolved an issue with the AIOS_Firewall_Resource class.

• Fix: Custom .htaccess rules are now properly escaped, with backslashes removed.
• Fix: Import settings failed when visitor lockout messages had text alignment or other formatting applied.
• Fix: The audit log filter for event type now works correctly, even when the event type is translated into languages other than English.
• Fix: Resolved text overflow in the blue box on the Settings > WP Version Info page.
• Fix: Some user meta keys were not being removed after uninstalling the plugin.
• Fix: Subsites no longer incorrectly detect the Database Prefix feature as active.
• Fix: Prevented fatal errors from missing firewall resources, replacing them with debug log entries.
• Fix: WordPress database error: BLOB, TEXT, GEOMETRY, or JSON columns cannot have a default value set.
• Fix: The load_plugin_textdomain function is called during the init action, and translations are applied afterward.
• Fix: Renamed login page is now using the WordPress translations.
• Tweak: Added a filter for PHP firewall rules templates.
• Tweak: Updated the country code field for audit logs to be based on the IP address. (Premium)
• Tweak: Improved the text in the 404 detection tab.
• Tweak: Moved the allowlist into the blacklist tab, and renamed it to “Block & Allow Lists.”
• Tweak: Moved the WP REST API feature to the PHP rules tab.
• Tweak: Refactored multiple command classes to use the new AJAX response helper method: Tools, File scan, Files, Settings, and Log commands classes.
• Tweak: Updated the UI for the .htaccess rules, Captcha settings and file protection tabs.
• Tweak: Added a note in Settings > Delete plugin settings tab.
• Tweak: Early calls to get_plugin_data() no longer require translations.
• Tweak: Refactored the firewall command class to use the response helper method.
• Tweak: Added a constant AIOS_DISABLE_HTTP_AUTHENTICATION. Define this in your wp-config.php to disable HTTP authentication.

• Feature: Added a HTTP authentication feature that allows protecting the site with a username/password login.
• Fix: Added a new method to reset the firewall rules under general settings.
• Fix: Resolved the issue with post cache which caused an issue with comment spam prevention.
• Tweak: Added a helper class for API requests.
• Tweak: Removed whitespaces at end of sentences.

• Feature: Added captcha option for WooCommerce classic guest checkout page.
• Fix: Fixed responsive layout issues with dashboard notice logo on mobile devices.
• Fix: Turnstile captcha widget showing multiple times.
• Fix: Solved memory issue for reading larger host system log file.
• Fix: Removed .htaccess options from the Settings menu on Nginx, IIS and unsupported web servers.
• Fix: Resolved UX popup issue and firewall allowlist sanitization.
• Fix: Resolved an issue where bulk table actions were still executed even if the confirmation dialog was cancelled.
• Fix: Added a null check to prevent PHP warnings in firewall rules.
• Tweak: Ajaxified the actions in the settings, filesystem security, spam prevention and user security menu
• Tweak: Added Ajax support to list tables and the audit log.
• Tweak: Added CAPTCHA field to MemberPress forgot password and registration forms
• Tweak: Excluded .htaccess tabs from settings if the server is not supported.
• Tweak: Updated the firewall rules UI and malware scanner description.
• Tweak: Tweaked the htaccess backup method to generate the random filename.
• Tweak: Removed ‘prevent access to default WP files’ from .htaccess and added ‘license.txt’ to deletion list.

• Fix: Bug that allowed subsite admins to delete audit logs of other subsites.
• Fix: Disabled blacklisting on subsites because the PHP-based firewall currently applies to the entire multisite.
• Fix: An issue with getting the google bot ip ranges.
• Tweak: Added extra protections in place before modifying the .htaccess file.
• Tweak: Actions in the tools, firewall and scanner menu are now processed via AJAX.
• Tweak: Trimmed leading and trailing whitespace from inputs in the WHOIS lookup tab.
• Tweak: Added a confirmation pop-up when users clear records in the Debug Logs table.
• Tweak: Added captcha support for the MemberPress plugin.
• Tweak: Improved the UX of the WP REST API options.
• Tweak: Internal code improvements to improve maintainability.
• Tweak: Updated the feature manager to improve performance.
• Tweak: Fixed the issue of blank tables on mobile view.

• Feature: Added CAPTCHA to password protected pages/posts.
• Fix: Captcha not showing on the BuddyPress registration page.
• Fix: WooCommerce logout issue when the renamed login page and login whitelist features are both enabled.
• Fix: Missing CAPTCHAs when multiple WooCommerce login and register forms are on the same page.
• Fix: Fixed an issue with the 404 detection actions.
• Fix: A UI issue with the 2FA QR code image.
• Tweak: Added the attribute data-cfasync=”false” to the default captcha url to allow loading on Cloudflare Rocket Loader.
• Tweak: Purge login lockdown table records after 90 days to restrict size. The AIOS_PURGE_LOGIN_LOCKOUT_RECORDS_AFTER_DAYS constant has been added to change the default.
• Tweak: Updated the malware scanner frequency text from daily to weekly.
• Tweak: Updated the password strength meter UI for the password tool.
• Tweak: Add a ‘Lock IP’ and ‘Blacklist IP’ link to the IP column of the audit log.
• Tweak: Enhance fake Googlebot detection. In the case where gethostbyaddr fails, the firewall will fallback to checking against known Googlebot IP ranges.
• Tweak: Updated the column header for the “Permanent Blocked IP Addresses” table to be consistent with other tables.
• Tweak: Prevent warning when DISALLOW_FILE_EDIT has already been defined.
• Tweak: Fix instances of one translation function being used for multiple sentences.
• Tweak: Improved the UX during AJAX calls.
• Tweak: Removed Trash spam comments duplicated description.

• Feature: Added bulk force logout features for logged in users.
• Fix: An issue with the WooCommerce my account page logout function when the cookie based brute force feature is turned on.
• Fix: Warning undefined array key. SCRIPT_FILENAME
• Fix: Custom redirection after login not working if url contains the redirect_to parameter.
• Fix: List of administrator accounts not showing on the user security page.
• Fix: Issue with cookie based bruteforce prevention solved if salt postfix feature is on.
• Fix: Fixed country field not showing in the 404 event logs (Premium).
• Fix: Fixed country field not showing in the smart 404 blocked IP log (Premium).
• Tweak: Fixed translation issue not showing as per admin user set language instead of site settings.
• Tweak: Firewall upgrade changes are applied without access to the admin interface.
• Tweak: Change the labels for the switches to a more appropriate wording.
• Tweak: In the file scanner results show the file sizes in a human readable format.
• Tweak: Updated the default message for attempts to access wp-admin.
• Tweak: Internal refactor of the update code to improve code clarity.
• Tweak: Port the ‘Block fake Googlebots’ feature to the PHP-based firewall.
• Tweak: Remove requirement for at least one IP for ‘Blacklist’, ‘Login whitelist’ and ‘Login lockout IP whitelist’ to be enabled.
• Tweak: Added error message when a user tries to block their own IP on registration approval.
• Tweak: Added method to update badge on AJAX call.
• Tweak: internal refactor of the AIOWPSecurity_Utility_File class to improve code clarity.
• Tweak: Seasonal notice content update for 2024.

• Fix: Remove call to update_event_table_column_to_timestamp in update routine.
• Fix: Remove call to wp_timezone() which is only available in WP 5.3+.

• Fix: The user check that affects the Duo authentication plugin
• Fix: Database update routine is now run without needing to visit the admin interface or each individual site in a multisite
• Fix: Some settings in the firewall menu not resetting after deactivating and reactivating the plugin.
• Tweak: Audit log and 404 events CSV export file date time column is now in a human readable format not unix timestamp
• Tweak: Debug log table existing datetime field converted to timestamp to be timezone independent
• Tweak: Global meta table existing datetime field converted to timestamp to be timezone independent
• Tweak: Permanent block table existing datetime field converted to timestamp to be timezone independent
• Tweak: Refactor list item actions to further improve code clarity
• Tweak: Removed blacklist admin menu as previously announced
• Tweak: Removed miscellaneous admin menu as previously announced
• Tweak: Removed various admin menu tabs as previously announced
• Tweak: Store IP lookup result for other types of entries in the login lockdown table
• Tweak: Update the footer review prompt
• Tweak: Max file upload size limit to 250 MB by aiowps_max_allowed_upload_config filter removed
• Tweak: Improve comment spam detection to not interfere with other forms

• Security: Added nonce checks to various list table actions to prevent a CSRF vulnerability. Thanks to dhakal_ananda for disclosing this defect. This would allow an attacker who persuaded a logged-in administrator to visit a specially crafted link to perform actions on the 404 event records.

• Security: Removed unnecessary use of the “tab” query parameter on various admin menu pages to prevent a non-persistent XSS vulnerability. Thanks to Matthew Rollings for disclosing this defect. (This would allow an attacker who deliberately targets you whilst logged in as an administrator and persuades you to visit a link he controls to inject unwanted scripts on a single visit to your AIOS admin page).
• Feature: Added logout event to the audit logs
• Feature: Add ability to delete the default readme.html file and wp-config-sample.php file
• Fix: Correct some translation calls that were using the wrong text domain
• Fix: PHP notice caused by the file scanner being unable to read its data file
• Fix: Unlock request button was not showing and redirects to 127.0.0.1
• Fix: Database errors for the aiowps_login_lockdown table during plugin installation
• Tweak: Refactor the 6G UI
• Tweak: Added an option to set the Cloudflare Turnstile CAPTCHA theme
• Tweak: Added CSS styling for audit log details column
• Tweak: Dashboard critical feature status links fixed and only show features that can be enabled in a multisite subsite
• Tweak: Deactivating the plugin now removes stored login info so on the next activation users are not force logged out
• Tweak: Display json string instead of null if json_decode does not work for audit log details
• Tweak: Event table existing datetime field converted to timestamp to be timezone independent
• Tweak: Various tweaks to get codebase up to coding standards
• Tweak: Various tweaks to ensure multiple sentences are not passed to a single translation function
• Tweak: Fix the broken UI for RSS and Atom firewall settings and added a more info box
• Tweak: Fix the issue of unique ID in DOM
• Tweak: Merge Username and Display Name tabs in User Security Settings
• Tweak: Moved the ‘404 detection’ tab to the ‘Brute force’ admin menu
• Tweak: Moved the ‘PHP file editing’ tab into ‘File Protection’ tab
• Tweak: Moved the ‘User enumeration’ tab into the ‘User accounts’ tab in the User Security Menu
• Tweak: Moved the ‘WP Rest API’ tab into the Firewall Menu
• Tweak: Moved the ‘Copy protection’ and ‘Frames’ tab into the Filesystem security menu
• Tweak: Moved the ‘Salt’ tab into the User security menu
• Tweak: Moved ‘Blacklist Manager’ tab into the Firewall menu.
• Tweak: Password resets, removed and deleted users are now recorded in the audit log
• Tweak: Stop 404 IP from being locked if there’s a current lock on that IP
• Tweak: Unify date and time conversion with users timezone support
• Tweak: Changed how empty data in ip lookup result is stored in the database
• Tweak: Rework Firewall Menu page to have two tabs for PHP and .htaccess rules
• Tweak: Add captcha support for Contact Form 7
• Tweak: Added a AJAX save settings and get features details badge function as part of ongoing work to add AJAX support to the plugin settings
• Tweak: Enhance reset password email by adding IP info
• Tweak: Remove defunct imagetoolbar meta tag
• Tweak: Login lockout tables existing datetime field converted to timestamp to be timezone independent
• Tweak: Code improvements – utilising WP_Error objects instead of arrays

• Security: On a multisite install, if using the AIOS feature for renaming and hiding the login page, a route existed for an attacker to discover the hidden login page, thus negating the usefulness of the feature. Thanks to Naveen Muthusamy for disclosing this defect.
• Feature: Block POST requests that have a blank user-agent and referer
• Feature: Added reverse IP Lookup data to the login lockdown notification email
• Fix: Prevent a fatal error when setting up the firewall if the host has disabled the function parse_ini_file
• Fix: Prevent the firewall message store from filling up with unused entries
• Fix: Prevent legitimate Googlebot traffic being blocked on sites where the gethostbyaddr function fails or is disabled
• Fix: An issue that prevented MainWP updates from being performed correctly
• Fix: Prevent user enumeration via the REST API and oEmbed protocol
• Fix: User agent blacklist not matching all strings correctly
• Fix: Logged in user table not showing the correct information
• Tweak: Improve comment spam detection by using hidden fields and cookies
• Tweak: Login whitelist suggests both IPv4 and IPv6 addresses to whitelist
• Tweak: The menu actions in the dashboard admin menu are now processed via AJAX
• Tweak: Converted checkboxes in the admin menu pages to switches
• Tweak: Add network_id and site_id column to debug logs table for differentiating logs between sites on multisite
• Tweak: Combined various user admin menus into a new ‘User Security’ admin menu
• Tweak: Export configuration filename now reflects the local timezone.
• Tweak: Improve the UI/UX of the file scanner making way for future improvements
• Tweak: Redesign the feature manager badges
• Tweak: Removed various admin menu tabs as previously announced
• Tweak: Add features that depend on other plugins to the feature manager conditionally
• Tweak: Added a null check to function that removes wp meta info from scripts and styles src to prevent a PHP deprecation warning
• Tweak: Audit log date and time are now displayed in the sites timezone
• Tweak: PHP warning undefined array key REQUEST_METHOD in rule-proxy-comment-posting.php
• Tweak: When TranslatePress is active, logging out via WooCommerce should not show a 404 page if the “rename login page” setting is on.

• Fix: Ported firewall settings from disabling on upgrade

• Fix: Fatal error “set_value() on null” when the firewall config is missing
• Fix: PHP notices when running under cron
• Fix: Revert change that caused the Brute force login whitelist to show the server IPs and not the users
• Tweak: Add communication mechanism so that firewall can send data to WordPress
• Tweak: Remove incorrect mentions of the .htaccess file on PHP Firewall rules

• Feature: An allow list of IP addresses which bypass the firewall rules
• Fix: Fix get_class() on null fatal error when updating via ManageWP
• Fix: No such file or directory notice generated by the firewall’s config file
• Fix: Only send the upgrade email if one or more of the ported rules had been enabled
• Fix: Fake Google bots are now blocked if bot server IP address does not resolve to a hostname
• Fix: Google reCaptcha now appears correctly on the WooCommerce checkout page
• Fix: Prevent Woocommerce auto login if manual registration approval is turned on
• Fix: Premium upgrade tab UI overlapping issue.
• Fix: Allow maintenance mode to be controlled via WP-CLI (Premium)
• Fix: Use the correct site id for login success events added to audit log table on Multisite
• Fix: Added missing features to the feature manager list
• Fix: A warning when using the update all command via WP-CLI
• Tweak: AIOS settings based IP address is now used instead of the REMOTE_ADDR server variable for multiple wrong 2FA code notification
• Tweak: Added aios_audit_log_record_event filter to allow events to not be recorded
• Tweak: Improve the feature item manager code structure making way for future improvements
• Tweak: Login whitelist suggests both IPv4 and IPv6 addresses to whitelist.
• Tweak: Move the ‘Custom rules’ tab from the ‘Firewall’ section to its own tab in the ‘Tools’ section
• Tweak: Move the ‘Prevent hotlinking’ tab to the ‘File protection’ tab in the ‘Filesystem Security’ menu
• Tweak: Moved all CAPTCHA settings to the ‘CAPTCHA settings’ tab in the ‘Brute Force’ menu
• Tweak: Moved the ‘Password tool’ tab to the ‘Tools’ admin menu
• Tweak: Moved the ‘Visitor lockout’ tab to the ‘Tools’ admin menu
• Tweak: Moved the ‘User registration honeypot’ tab to the ‘Brute force’ admin menu
• Tweak: Remove ‘Account activity table’ as these entries are also recorded in the audit log
• Tweak: Removed the ‘Failed login records’ tab as previously announced, these are now recorded in the audit log
• Tweak: Improve list table code performance
• Tweak: Removed use of $_GET, $_POST, $_REQUEST from all template files making way for future improvements

• Fix: Include helper class file from loader
• Tweak: Conditionally load TFA block JavaScript

• Security: Remove authentication data from the stacktrace before saving to the database. This defect meant that a site administrator had the potential, between releases 5.1.9 to 5.2.0 (which purges the existing data), to know what site users’ passwords are. This information has limited value (an admin can already reset anyone’s password) except insofar as the passwords may be re-used by users on other sites. In that “hostile admin” scenario, your site has other problems (since the hostile admin has a whole raft of equivalent ways of causing mischief to users, especially if not on multisite where a site admin is potentially not a super admin and may not be able to install or configure plugins). This changelog has been expanded in response to incorrect reports which suggested a wider problem (for example, they did not mention that the attacker needs to already be logged in as an admin to read the log, or that upgrading to 5.2.0 deletes the affected data).
• Security: Set tighter restrictions on what subsite admins can do in a multisite.
• Fix: After editing a file reset permissions back to the original permissions
• Fix: Corrected some broken links in the plugin
• Fix: Fatal error: cannot declare class
• Fix: Normalise all arguments in the stacktrace
• Fix: Wrong login entries added to login activity table on multisite when user logs into subsite they don’t belong to.
• Fix: Too many redirects error for forced logout users solved
• Tweak: For Cronjob, WP CLI and AIOS_DISABLE_EXTERNAL_IP_ADDR defined constant do not use external services for user IP addresses. Silenced api.ipify.org request failed warning.
• Tweak: Reset password page missing translation and generate password button added for renamed login page
• Tweak: Added aios_audit_log_event_user_ip filter to allow filtering of IP addresses in the audit log
• Tweak: Added action hook aios_reset_all_settings for reset all settings.
• Tweak: Renamed login page to have language change dropdown and other tweaks as per the WordPress 6.2

• Feature: IP addresses – Blacklist manager functionality based on PHP instead of .htaccess rules. Added AIOS_DISABLE_BLACKLIST_IP_MANAGER constant, Define it in your wp-config.php to disable IP Blacklist manager.
• Feature: Detect spambots posting comments and discard it completely or mark as spam.
• Feature: Encrypt TFA secret keys that are stored in the database (extra protection in case of your database being hacked)
• Feature: Added a “Delete all” and “Delete filtered” bulk action to the audit log table
• Fix: Prevent Cloudflare Turnstile being added to login forms when no credentials where set
• Fix: Change where the audit log event handler is loaded to prevent an error on plugin deletion
• Fix: Fix context class checks to support cli
• Tweak: Multisite super admin can access the subsite dashboard without login again if salt postfix enabled
• Tweak: Captcha JavaScript file is unnecessarily loaded on some site pages if comment captcha or custom login captcha enabled
• Tweak: Change some nonce checks to use our internal function to check user capability and nonces
• Tweak: User registrations and successful logins are now recorded in the audit log
• Tweak: Added a commands class and refactored AJAX handlers
• Tweak: Captcha verification to prevent conflicts with some plugins that recall the WordPress authentication code
• Tweak: Improve database table prefix feature UI.
• Tweak: WordPress core updates are now recorded in the audit log
• Tweak: Translation updates are now recorded in the audit log
• Tweak: Add an entity changed event to the audit log when upgrader information is not available
• Tweak: Automated emails sent by AIOS that failed to send due to from address

• Fix: 404 detection – Individual record blacklisting, delete, temp block actions stopped working in 5.1.7
• Fix: Uncaught fatal error on null ‘set_value’
• Fix: Remove audit log event handler actions on plugin deletion to prevent an error
• Fix: Remove some audit log event handler on plugin deletion to prevent an error
• Fix: Get correct wp-config path when installed in a subdirectory
• Tweak: AIOS_Helper::request_remote timed out exception ignored.
• Tweak: Requests_IPv6 class name deprecated in WordPress 6.2.
• Tweak: Failed login attempts are now recorded in the audit log

• Fix: Prevent fatal error when calling get_server_detected_user_ip_address() when the firewall is not setup
• Tweak: Clarify dashboard notice title and change image.

• Feature: Added an audit log
• Feature: Add salt postfix option to improve your site’s security
• Feature: Shared library that can be used from the firewall.
• Fix: Rename login slug used like wp-login-RANDOM_SUFFIX showing 404 page issue solved and code clean up for multisite activation.
• Fix: Divi child theme conflict – Call to undefined function et_builder_get_fonts() in functions.php on line 208 solved.
• Fix: Captcha settings tab in multisite installation for subsites not showing
• Fix: Cron reschedule event error for hook aios_15_minutes_cron_event if plugin deactivated or uninstalled
• Tweak: Stop user enumeration now shows 403 forbidden error code instead of 500 server error
• Tweak: PHP 8.1 warning rawurldecode passing null instead type string is deprecated for block request string 6g rule
• Tweak: Code clean up for disable cookie based brute force constant as rule moved to firewall
• Tweak: Comment spam IP monitoring page UI
• Tweak: Updated seasonal notices
• Tweak: Improve internal code structure making way for future improvements
• Tweak: Remove mention of the 6g firewall rules being .htaccess based as they are now php based
• Tweak: Added new internal function to check user capability and nonces
• Tweak: Improve config code with inline saving.
• Tweak: Allow audit log to be filtered and exported to CSV

• Feature: Added Cloudflare Turnstile CAPTCHA support
• Fix: Notices about undefined array key HTTP_USER_AGENT solved.
• Fix: New v5 features not saved in export file and not properly reset after uninstallation.
• Fix: File permission change being applied to the last record not selected one. Also, no longer change permissions when they are already tighter than the suggested.
• Fix: Fatal error ‘Call to a member function contains_contents() on null’
• Tweak: Removed wrong information about login whitelist being implemented via htaccess.
• Tweak: Refactoring settings tasks for WP CLI AIOS premium commands.
• Tweak: Page load performance issue due to incompatible tfa premium plugin active check improved.
• Tweak: Make sure translation domain is registered before attempting to use it
• Tweak: Replaced click with press in text because users could be on mobile etc and not using a mouse.
• Tweak: Registration, comment, Buddypress and bbPress admin pages to show notice enable the captcha settings.
• Tweak: Improve the UI/UX for the 404 detection tab
• Tweak: Improve internal code structure making way for future improvements
• Tweak: PHP 8.2 deprecation warning for dynamic properties
• Tweak: Remove the unintended ability for directory traversal and lack of escaping when outputting files with the “view system log” feature. This facility is only available to an administrator (who can of course already do anything on the site, so this has no security implications) and allow them to view (the last 50 lines) from any file or list any directory on the system where the web server has read access.
• Fix: Fatal error ‘Call to a member function contains_contents() on null’
• Tweak: Firewall gets constants from a single source.

• Feature: Add option to disable RSS and ATOM feeds.
• Fix: The IP address blacklist manager wasn’t working.

• Security: No longer save settings import files in a publicly accessible folder where they can be potentially indexed by search engines if the administrator does not actually import the settings (which deletes the import file)
• Feature: Implement firewall events system
• Fix: Protect subsites when firewall is loaded via plugins_hook
• Tweak: Improve the UX for uploading import files
• Tweak: Add a default CAPTCHA option making way for new CAPTCHAs in the future

• Feature: User Agent – Blacklist manager functionality should be based on PHP instead .htaccess rules.
• Fix: Sorting by ‘status’ on the comment spam table
• Fix: Copy protection feature not working on iPhone
• Fix: Cookie based brute force prevention locks out if plugin deactivated and activated again.
• Fix: The notice to reapply .htaccess rules after reactivating the plugin is displayed on subsites.
• Fix: Various WordPress command line notices about undefined $_SERVER indexes
• Fix: Deactivate and reactivate plugin firewall settings file sync issue solved.
• Tweak: 2FA setting page to show premium options for AIOS premium.
• Tweak: Remove characters that should not have been on the scanner page
• Tweak: Organise firewall rules into subdirectories
• Tweak: Added GDPR question answer to the AIOS WP org plugin’s FAQ section.
• Tweak: Allow AIOS management permission to be filtered via aios_management_permission filter
• Tweak: Make use of is_main_site() function.
• Tweak: Copy IP to clipboard when clicking on it at WP Security -> Brute Force -> Login whitelist.
• Tweak: Better context detection for the firewall

• Security: Fixed a failure to check bulk action nonces, leading to a CSRF vulnerability. Exploitation would require an attacker to craft a link specifically for your site, and persuade you to click it whilst logged in; if you did so, this could result in bulk actions being carried out on AIOS list tables (e.g. delete entries from blocked IP address lists), with the attacker being restricted to deleting entries by database ID numbers that he cannot know directly (e.g. 15, 16, 17) and not IP address (e.g. 100.101.102.103).
• Feature: Cookie-based brute force prevention implemented with the new PHP based firewall system.
• Fix: AIOWPSecurity_WP_Loaded_Tasks::site_lockout_tasks() method visibility
• Fix: Prevent the dismiss notice button removing all notices from page including notices that contained important information
• Fix: Brute Force > Login Whitelist issue access password protected pages by user solved.
• Fix: Force logout link not working in the currently logged-in users list.
• Fix: Google reCAPTCHA site key and secret key are not verified immediately.
• Tweak: Code style changes for scanner related pages and future item manager class.
• Tweak: Capitalisation style reapply for firewall menu tabs.
• Tweak: Instead login lockdown used login lockout word in UI and mail content. Changed constant AIOWPS_DISABLE_LOGIN_LOCKDOWN to AIOWPS_DISABLE_LOGIN_LOCKOUT.
• Tweak: Update tabs, links to match capitalisation style of other UpdraftPlus plugins.
• Tweak: Added the filter aios_server_type to override the AIOWPSecurity_Utility::get_server_type() method’s return value.
• Tweak: Notice – Account activity logs, 404 event logs older than 90 days cleared automatically to show.
• Tweak: Premium upgrade page FAQs linked to correct URL.
• Tweak: IP address lookup called only once in same page request. Visitor blocking called when user is not logged in. User online information updated on login only.
• Tweak: User login lockout – minimum lockout time length should be less than maximum lockout time length validated.
• Tweak: Take a backup of wp-config before inserting firewall contents.
• Tweak: Ability to downgrade the firewall’s protection which allows users to reverse the changes from setting up the firewall.
• Tweak: Set a global context for $wp_file_descriptions context so that it gets assigned to correctly, preventing a subtle visual change in the theme editor
• Tweak: Black Friday notice
• Tweak: Update readme.txt file

• Fix: The login loader is visible infinitely on the login screen and administrators can’t log in if the user has enabled maintenance mode and 2FA authentication simultaneously.
• Fix: Pressing the “Disable Firewall” button didn’t clear new 6G firewall rules.
• Fix: The application password was disabled by default on the activation of the AIOS plugin.
• Fix: The error occurred with the error message: Uncaught TypeError: